Install SecureAuth RADIUS Server
Follow the steps in this guide to install SecureAuth® Identity Platform RADIUS server version 20.12.xx for the first time. For upgrade instructions, see Upgrade SecureAuth RADIUS Server.
For optimum performance in a large organization, consider installing or upgrading SecureAuth RADIUS separately from the Identity Platform server.
If you have any questions, contact SecureAuth Support.
Installation steps
Before installing SecureAuth RADIUS Server, ensure that you have SecureAuth IdP 9.3 or Identity Platform release 19.07 or later installed.
Note
Do not install SecureAuth Identity Platform RADIUS server version 20.12 on a Windows Domain Controller.
Download the SecureAuth RADIUS Server installation file from the SecureAuth Product Downloads page.
Double-click the
SecureAuth-IdP-RADIUS-Server-20.12.13.exefile to start the install wizard.If you have not already logged in as an administrator, you will be prompted to do so.
Click Next to proceed.
Select the folder where you want to install the RADIUS Agent.
Select the appropriate checkboxes to enable quick access to the RADIUS Admin Console via a desktop icon or the Start menu selection:
Create a Desktop icon.
Create an entry in the Start Menu.
Click Next to review settings.
Review settings and do one of the following:
Click Back to make edits.
Click Install to begin installing the RADIUS service.
After the installation is complete, optionally select the files to start when the wizard closes:
View README.
Launch RADIUS Administration Console.
Click Finish to close the install wizard.
If either or both files were selected in the previous step, the requested files are displayed.
Optional configurations
The following are optional configurations you can make to customize the SecureAuth RADIUS Server.
RADIUS admin console configuration to use HTTPS
You can configure the RADIUS admin console to use HTTPS instead of HTTP.
Before you begin, make sure you have the following:
SSL certificate via PKCS12 file (PFX_FILE). This can be a self-signed certificate.
RADIUS Server installed.
To configure the RADIUS admin console for HTTPS, follow these two short procedures.
At the command prompt, go to the keytool root folder:
# cd <RADIUS_INSTALLATION_FOLDER>\bin\serverJre\jre\bin
Use the
keytoolcommand to import the PFX file inside the Oracle Java KeyStore provided along with RADIUS, which is in:<RADIUS_INSTALLATION_FOLDER>\bin\serverJre\jre\lib\security\cacerts
For example,
# keytool.exe -importkeystore -srckeystore "<PATH_TO_THE_PFX_FILE>" -destkeystore "..\lib\security\cacerts" -srcstoretype pkcs12
Note
Oracle sets the destination keystore password by default to"changeit". Make sure to use the right password if this was changed.
You should see this response if the command was successful:
Entry for alias <THE_KEY_ALIAS> successfully imported.
After you import the SSL certificate, do the following to configure RADIUS to use HTTPS.
Create an application.properties file with the following structure:
server.address=127.0.0.1 management.port=-1 spring.messasges.basename=message server.ssl.key-store: file:C:\\Program Files\\SecureAuth Corporation\\SecureAuth IdP RADIUS Agent\\bin\\serverJre\\jre\\lib\\security\\cacerts server.ssl.key-store-password: <KEYSTORE_PASSWORD> server.ssl.key-type: pkcs12 server.ssl.key-alias: <KEY_ALIAS> server.ssl.key-password: <PFX_PASSWORD> server.port:<HTTPS_PORT>
For example:
server.address=127.0.0.1 management.port=-1 spring.messasges.basename=message server.ssl.key-store: file:C:\\Program Files\\SecureAuth Corporation\\SecureAuth IdP RADIUS Agent\\bin\\serverJre\\jre\\lib\\security\\cacerts server.ssl.key-store-password: abc123 server.ssl.key-type: pkcs12 server.ssl.key-alias: 1 server.ssl.key-password: 456xyz server.port:8443
Insert the
application.propertiesfile inside the folder<RADIUS_INSTALLATION_FOLDER>/bin.For example:
C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\application.properties
Use the Windows Services Manager (services.msc) to restart the RADIUS server.
Open the web browser and go to https://localhost:8443/configuration.
Note
If you need to undo this change, you can erase the new
application.propertiesfile and restart the RADIUS server.
Disable special character support in user IDs (SecureAuth IdP 9.2 only)
Customers running SecureAuth IdP 9.2 must disable support for special characters; otherwise, end users who use special characters in their user IDs will not be able to authenticate.
Open the
appliance.radius.propertiesfile in a text editor.This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf
Set enable.special.characters.for.userid=false, as shown in the following image:
Save your changes.
Display multiple authentication devices
Allow end users to select their authentication device if they have more than one device.
Open the
appliance.radius.propertiesfile in a text editor.This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf
Add the radius.oath.strategy=ask_by_otp_device property, as shown in the following image.
Save your change.
End user experience
When end users with multiple devices authenticate, the following screen appears:
 |
Additionally, SecureAuth RADIUS server supports both HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP) in seed and token modes, so the TOTP/HOTP authentication type appears instead of OTP:
 |
Maximize login requests with timeout value
Maximize successful login requests to the Identity Platform by setting a timeout value.
Open the
appliance.radius.propertiesfile in a text editor.This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf
Add the idp.api.timeout=n property, where n is the timeout value in milliseconds.
For example,
idp.api.timeout=50000.If a value for idp.api.timeout is not specified, it is set to 50000 by default.
Save your change.
Set the number of UDP processor threads
Set the number of User Datagram Protocol (UDP) processor threads that SecureAuth RADIUS can use to receive access-request packets.
Open the
appliance.radius.propertiesfile in a text editor.This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf
Add the radius.processorThreads=n property, where n is the number of processor threads.
For example,
radius.processorThreads=50.If a value for radius.processorThreads is not specified, it is set to 50 by default for best performance.
Save your change.
Open your system's Task Manager and select the Services tab.
Right-click secureAuthRadius and click Restart.
When you lose connection, cancel out of the reconnect dialog.
Select the Services tab and copy the PID for the
java.exeprocess.Open PowerShell as an Administrator.
Append the PID for the
java.exeprocess tojconsole.exeand run the command.jconsole.exe <PID>
For example:
jconsole.exe 4648
Set the PIN length for PIN + OTP authentication
Set the PIN length for your end users for the PIN + OTP authentication workflow.
Open the
appliance.radius.propertiesfile in a text editor.This file is located in the conf folder. For example: C:\Program Files\SecureAuth Corporation\SecureAuth IdP RADIUS Agent\bin\conf
Add the pin.length = n property, where n is the PIN length. Set a PIN length of up to 18 digits.
For example,
pin.length = 8.Save your change.